Krebs on Security

In-depth security news and investigation

Men Who Sent Swat Team, Heroin to My Home Sentenced

It’s been a remarkable week for cyber justice. On Thursday, a Ukrainian man who hatched a plan in 2013 to send heroin to my home and then call the cops when the drugs arrived was sentenced to 41 months in prison for unrelated cybercrime charges. Separately, a 19-year-old American who admitted to being part of a hacker group that sent a heavily-armed police force to my home in 2013 was sentenced to three years probation.

Sergei “Fly” Vovnenko, in an undated photo. In a letter to this author following his arrest, Vovnenko said he forgave me for “doxing” him — printing his real name and image — on my site.

Sergey Vovnenko, a.k.a. “Fly,” “Flycracker” and “MUXACC1,” pleaded guilty last year to aggravated identity theft and conspiracy to commit wire fraud. Prosecutors said Vovnenko operated a network of more than 13,000 hacked computers, using them to harvest credit card numbers and other sensitive information.

When I first became acquainted with Vovnenko in 2013, Fly was the administrator of the fraud forum “thecc[dot]bz,” an exclusive and closely guarded Russian language board dedicated to financial fraud and identity theft.

After I secretly gained access to his forum, I learned he’d hatched a plot to have heroin sent to my home and to have one of his forum lackeys call the police when the drugs arrived.

I explained this whole ordeal in great detail in 2015, when Vovnenko initially was extradited from Italy to face charges here in the United States. In short, the antics didn’t end when I foiled his plot to get me arrested for drug possession, and those antics likely contributed to his arrest and to this guilty plea.

Vovnenko contested his extradition from Italy, and in so doing spent roughly 15 months in arguably Italy’s worst prison. During that time, he seemed to have turned his life around, sending me postcards at Christmas time and even an apparently heartfelt apology letter.

Seasons greetings from my pen pal, Flycracker.

On Thursday, a judge in New Jersey sentenced Vovnenko to 41 months in prison, three years of supervised released and ordered him to pay restitution of $83,368.

Separately, a judge in Washington, D.C. handed down a sentence of three year’s probation to Eric Taylor, a hacker probably better known by his handle “Cosmo the God.”

Taylor was among several men involved in making a false report to my local police department at the time about a supposed hostage situation at our Virginia home. In response, a heavily-armed police force surrounded my home and put me in handcuffs at gunpoint before the police realized it was all a dangerous hoax known as “swatting.”

CosmoTheGod rocketed to Internet infamy in 2013 when he and a number of other hackers set up the Web site exposed[dot]su, which “doxed” dozens of public officials and celebrities by publishing the address, Social Security numbers and other personal information on the former First Lady Michelle Obama, the then-director of the FBI and the U.S. attorney general, among others. The group also swatted many of the people they doxed.

Exposed[dot]su was built with the help of identity information obtained and/or stolen from ssndob[dot]ru.

Taylor and his co-conspirators were able to dox so many celebrities and public officials because they hacked a Russian identity theft service called ssndob[dot]ru. That service in turn relied upon compromised user accounts at data broker giant LexisNexis to pull personal and financial data on millions of Americans.

At least two other young men connected to the exposed[dot]su conspiracy have already been sentenced to prison.

Eric “CosmoTheGod” Taylor, in a recent selfie posted to his Twitter profile.

Among them was Mir Islam, a 22-year-old Brooklyn man who was sentenced last year to two years in prison for doxing and swatting, and for cyberstalking a young woman whom he also admitted to swatting. Because he served almost a year of detention prior to his sentencing, Islam was only expected to spend roughly a year in prison, although it appears he was released before even serving the entire year.

Hours after his sentencing, Taylor reached out to KrebsOnSecurity via Facetime to apologize for his actions. Taylor, a California native, said he is trying to turn his life around, and that he has even started his own cybersecurity consultancy.

“I live in New York City now, have a baby on the way and am really trying to get my shit together finally,” Taylor said.

If Taylor’s physical appearance is any indication, he is indeed turning over a new leaf. At the time he was involved in publishing exposed[dot]su, the six-foot, seven-inch CosmoTheGod was easily a hundred pounds heavier than he is now.

Unfortunately, not everyone in Taylor’s former crew is making changes for the better. According to Taylor, his former co-conspirator Islam was recently re-arrested after allegedly cyberstalking Taylor’s girlfriend. That stalking claim could not be independently confirmed, however court documents show that Islam was indeed re-arrested and incarcerated last month in New York.

This entry was posted on Friday, February 17th, 2017 at 2:46 pm and is filed under Other.
You can follow any comments to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.

58 comments

The Justice system is based rehabilitation not retribution, Krebs feels he’s trying to change his life and so does the judge. Rehabilitation happens best outside of prison not in it, learning more from serious criminals. If he doesn’t he’ll be in jail in the blink of an eye. Whether you like it or not he’s a part of society and deserves opportunity to be a functioning member of that society,even after messing up big.

One injustice doesn’t excuse another. The US criminal justice system incarcerates seven times as many people (per capita) as the European system does through a combination of many more custodial sentences and much longer custodial sentences.

We would have to empty six out of every seven prisons in the US just to get down to the EU average, and not only is that an additional $40 billion burden on the US taxpayers, it has created a massive underclass of people who can no longer vote and often find it impossible to find an employer who will hire them.

There is an understandable and visceral impulse to want to throw the book at criminals who had harmed others, but that’s one of the reasons why this country got into this mess in the first place. One in every 36 adult Americans is already under some kind of government supervision (parole, prison, bail, etc.). Not a good record for a nation that prides itself as “the Land of the Free.”

No, in the US it definitely is NOT based on rehabilitation. It’s based on revenge and retribution and punishment with a healthy dose of official corruption thrown in. It’s *supposed* to be about rehab, but in practice the “tough on crime” political wing wins the elections in many jurisdictions.

We have private corporations running our prisons. Judges constantly “make examples” of people by giving them maximum sentences regardless of severity of the offense. LEOs constantly harass those that *are* trying to turn their lives around to get them thrown into prison on trumped up or trivial offenses. Laws criminalize trivial actions, or so vague they can fit whatever the prosecutor wants. Each election cycle you see calls and new laws to increase punishment for “problem crimes” -aka those that the current squeaky wheel agitates for- regardless of whether they address the underlying issue or not. We have crimes that have “minimum sentences” regardless of the severity of the actual crime. Prosecutors that consistently try to do end runs around Constitutional rights. We have civil forfeiture laws designed to allow LE to seize private property regardless of whether or not the owner is convicted of a crime and then sold, the proceeds opaquely channeled into the department’s own coffers. It’s a neat little legal racket. Make no mistake, it IS a racket and it’s every bit as corrupt as the Five Families ever were. And this happens in many states of the Union.

If you think I’m drawing this out of some Hollywood script, I assure you I’m not. This happens every day in the US. The only wonder is that not everyone isn’t in or been in jail at this point. It’s insane and it needs to stop.

True, but the rehabilitation part is woefully underfunded, and far too often is little more than lip service. It’s one of the reasons why the recidivism rate is several times higher than in nations like Norway, a country that is often mocked for its light sentencing and “hotel-quality prisons”, yet they do a much better job of protecting their citizens by keeping the number of repeat offenders down.

The main problem is that funding programs to help convicted criminals turn their lives around is deeply unpopular, even at the cost of paying to keep them in prison. It’s seen as rewarding the undeserving, even though it helps prevent future victims of crime by reducing recidivism.

There are some signs that’s beginning to change — mostly because the costs of incarcerating two million people are becoming unsustainable, but whatever the reason, we can’t keep repeating the same mistakes.

Or how about some government agency hire them? Since they were not convicted of felonies, they can be hired because of their experience.
Or maybe they have been. The names are different but the attack training vectors seem unusual. Certain databases, lead to certain trails of targets. Hmmm!

The problem is that not every criminal that gets caught is a Frank Abagnale. Some of them are going to be Whitey Bulgers. The problem with Russia and other places is that they have no problem giving the Whiteys free license to continue their trade if they help the government. The US at least tries to not do that. Even if they occasionally fail, that doesn’t mean they always do (which is a hard concept for some to grasp these days).

Really, 10 years mandatory prison? Swatting is mostly performed by teenagers as a form of bullying and show of power. These teenagers often show signs of social behavioural problems, lack of empathy and often not realising that their online actions have real life consequences.

The lack of comprehension for empathy and the existing social behavioural problems makes swatting someone online seem like a joke viewed over the internet without having too much moral guilt due to the reasons explained.

Locking a conflicted person at a young age up for the better part of their adolescent life will not result in a better functioning member of society, but more in a threat to future society.

If you’d take the money and resources required to lock someone up for 10 years and instead spend it on educating these young people you’d be done in about 3 to 12 months, at 10% of the cost, and benefit of your efforts for the rest of their lives.

Personally, I feel prison time should be mandatory for SWATing. Yes, it is “just kids” but – they’re sending men with guns to people’s houses. Having said that, they’re generally not getting bail, so they’re getting that essential “short sharp shock” required.

Swatting is NOT cyber bullying. It is sending armed men expecting the worse to raid your house. Finger on the trigger, ready to kill. The expectation of the person making the call is that there will be a killing.
Swatting is at the least; Attempted Murder.
Cyber bullying is harassment with words.

I’m glad to hear the news, although the prison term should have been much longer. What if Brian Krebs was a Black Panther, or some other person affiliated with a cause that not everybody stands for? This story could have easily had a very different and potentially tragic ending, beginning with the SWAT team showing up at Brian’s house.

Complying ng with armed people is generally a good idea, whether it is a legal obligation or not, but he really should be thankful that they didn’t shoot any of his pets. A rightfully protectful dog, even if just being “aggressively” loud, is often put down by fully body armored swat teams.

Really, you want to indefinitely imprison a 19 and 22 year old person? Please remember that they were ~15 and ~18 when they committed their crimes, and please remember that these crimes were committed over the internet to harm people on another continent.

These kids should know better, everyone should know better. But please understand that for a 15 year old who probably doesn’t have much more than his online life and status, doing things online starts to fade away from reality, especially when your target is so far away both literally and figuratively. Punishments are in order, but a big part of punishment is educating and the possibility to improve / learn from mistakes made.

Actions don’t directly define people. I’ve done things as a teenagers that could’ve landed me in Jail but luckily they haven’t. I have looked back on those mistakes, regretted making the choices and improved my life for the better.

Are we really disregarding our responsibility as a society to keep educating people (especially younger people)? Would we rather return to crucifying and public shaming like we did hundreds of years ago?

John, you wrote “Are we really disregarding our responsibility as a society to keep educating people (especially younger people)? Would we rather return to crucifying and public shaming like we did hundreds of years ago?” As for the first question I am for. That’s valid and important question. But the second?…
In Sweden until sixties – after about 300 years of draconian punishment of any crime – theft was completely unknown: you could leave your suitcase at a bus stop and find it after a day or two untouched. So even generally inhuman treatment of criminals shouldn’t be assumed ineffective. Thus your argument is inappropriate here…

I don’t get it, but maybe the courts figure that once someone like that is brought out in the sun light, that it will be way easier to cop them once they try re-offending. You would think a bat in a dark cave would try to avoid sun burn like the plague; but we shall see. I hope Brian can find some peace with whatever small deterrence these convictions hold.

Most of us do not get “adult brains” until 21-25 years of age. As commenter John mentioned, the lack of empathy often typical in teens is very common. Teens may understand what they do to people in their presence and tone their shenanigans down, but the more distant from people, the more likely the pranks get out of control. I am ashamed to say I caught a car on fire as a teen, having not really thought out what I was doing until I saw the flames spreading. That slap in the face helped me grow up, but a tour of prison would have been counterproductive I think.

Krebs certainly rules in the security world, thanks Brian for all you do!

Right – the prefrontal cortical neurons connecting to the rest of the brain do not fully myelinate until 25 or later – so your inhibitory centers – what humans rely upon for “common sense” – are basically shorted out and offline until then. And the prefrontal cortex is arguably what is most definably human about our brains vs., say, chimps.

The savage bloviating and bellowing on this forum about “justice” is really hard to bear. I sense it bodes badly for things we cherish, like net neutrality.

Just getting a conviction is a big step towards making sure they either get their act together or get caught faster the next time. Once they have identified one of these critters with an MO and is on a list those previously convicted, it makes it that much faster.

Check out the book, Catch Me If You Can for a view of both kinds of penal experience and his point of view.

Mr. Krebs mentions that the kid who committed the crime has apologized to him and accepts responsibility for his crime. Mr. Krebs says that it might indeed mean that this young man has “turned a corner”.

Let’s hope so.

But let’s note too that Mr. K is not only being magnanimous to the young man who caused him to be handcuffed by police carrying automatic weapons. He’s also giving him a role model.

Mh. In jail his gona be worst. only what he learn there is more crimes. something in the world is really wrong that skilled people have to commit crimes. ??
prisons are run by the corporations. Yes more the tax payers will pay. Usa is rigged country so as russia.
i dont know if there is any country left that its notmal ??
I remebered when they put in jail one guy who was guilty defrauding investors. He wasn’t even the guy who organised but he got blamed.
well known fact that people whos victims of system commit crimes but with their own crimes they help this rigged global system. And at the end they will be dropped into prisons like junk. Thats how it is and when they remain normal like they dont go grazy then they will get out from prison…they probably become terrorist.
Lesson here!! Dont look for freedom dont try to be free becouse dont be fre.

Having a plot like that against you has to suck. I think that people are swat and do crimes like that are extremely twisted and screwed up. I guess that’s the cost of being a security researcher and exposing people for their crimes. I’m glad this was resolved though and you didn’t end up in prison 🙂

That guy made one mistake !! coz his young and naive without life experince he was taking seriously personally. Tgings.
its all just business… he had the opportunity to earn just money.
he stayed untoucheble…until he was other country.
just becouse he made it personally its not business anymore its business. And once you taking things on personal level the law can catch you up easy. Here…is the thing if you dont personanised yourself and you stay as “Business” then you are untoucheble. Becouse you dont personised yourself.
catding is just business and in business nothing personal.
and thats what mistake this youngster made.
before you are going to brake the first you should learn the law otherwise dont risk
tooo many young naive and stupid people out therd who think they are tough guys and can do everything.
He tought other fraudsters will be proud about his heroin sending thing…but nobody dont care and nobody dont take it personally. He and others who make their Business personal they all and always end up in jail.
If you harm or touch other person personally then the law can touch you.if you are behind the business then you are behind wall safe wall. its mandatory to learn and study about Commerce scheme laws read all about.